> Someone must have already figured this out; I'm feeling "virtual Monday" pretty bad right now :-( > > With IPv6 a host can have "lots" (more than 1) of possible IPv6 addresses to use as the source address. I've read the RFCs, so I can (usually) make a good guess as to which one will be used, but... > > When writing a host-specific ip6tables rule, which address do you need to list? All of the possible Global Scoped addresses? > > This seems...... awkward (and error prone). > > Am I missing something, or is it that bad?

If you have control over the host, you can set and/or verify its source address selection policy to make sure you use the right IP. If you don't, you shouldn't trust that the IP continues to refer to the same host over long periods of time, and simply filter based on the actual source IP you see at the moment. Besides, if a host starts using a different source address (e.g. privacy addresses) it's very likely that it doesn't *want* to be treated as the same host.

> > On Jan 17, 2012, at 8:04 PM, Tom Perrine wrote: > >> Someone must have already figured this out; I'm feeling "virtual Monday" pretty bad right now :-( >> >> With IPv6 a host can have "lots" (more than 1) of possible IPv6 addresses to use as the source address. I've read the RFCs, so I can (usually) make a good guess as to which one will be used, but... >> >> When writing a host-specific ip6tables rule, which address do you need to list? All of the possible Global Scoped addresses? >> >> This seems...... awkward (and error prone). >> >> Am I missing something, or is it that bad? > > If you have control over the host, you can set and/or verify its source address selection policy to make sure you use the right IP.

might not work all time, since the source and destination address selection algorithm depends on the destination. Therefore, the host can use address A to reach B and address C to reach D. Moreover, host OS and software (browsers) already implement happy-eyeballs or variations of this that make the assumption even less appropriate.

> If you don't, you shouldn't trust that the IP continues to refer to the same host over long periods of time, and simply filter based on the actual source IP you see at the moment. Besides, if a host starts using a different source address (e.g. privacy addresses) it's very likely that it doesn't *want* to be treated as the same host.

things that _may_ help you Tom is whether the provisioning of the host is done by DHCPv6, which is what many enterprises are using/planning to use. In this case, the host most likely have a single global address and is not going to use temporary addresses.

> On Tue, Jan 17, 2012 at 05:04:00PM -0800, Tom Perrine wrote: > > When writing a host-specific ip6tables rule, which address > do you need > > to list? All of the possible Global Scoped addresses? > > Maybe this is an indication that host-specific ipv6 firewall rules for > "only certain hosts in an otherwise non-trusted /64 subnet" > is a stupid > idea right from the start... and this is stupid in IPv4 networks as well.

If you want to have host specific filtering of outgoing traffic, please use proxies with user authentication.

Anyway, because of the huge address space in IPv6, one option would be to spend every host it's own subnet (up to 65000 hosts). But I wouldn't recommend this...

> things that _may_ help you Tom is whether the provisioning of the host is done by DHCPv6, which is what many enterprises are using/planning to use. In this case, the host most likely have a single global address and is not going to use temporary addresses.

Though DHCPv6 supports temporary addresses. Which may be a good compromise between accountability and user privacy.

a) this sort of scenario is intrinsic to the design of IPv6, so get used to it.

b) it is *very* hard to get border router and firewall configurations correct to deal with it. In fact, reports on the reachability of 2404:138:4004::1 and 2001:df0:0:201e::1 would help me a lot right now: they are the same machine, but we are having difficulty getting them both pingable simultaneously.

c) the IETF is trying to sort this out in the MIF (multiple interface) and HOMENET WGs, but for now it does seem to be a matter of twiddling router rules and firewall rules by hand. Not pretty.

On Tuesday 17 Jan 2012 17:04:00 Tom Perrine wrote: > Someone must have already figured this out; I'm feeling "virtual Monday" > pretty bad right now :-( > > With IPv6 a host can have "lots" (more than 1) of possible IPv6 > addresses to use as the source address. I've read the RFCs, so I can > (usually) make a good guess as to which one will be used, but... > > When writing a host-specific ip6tables rule, which address do you need > to list? All of the possible Global Scoped addresses? > > This seems...... awkward (and error prone). > > Am I missing something, or is it that bad? > > --tep

if using DHCPv6 and refusing to route unleased addresses (or subnets) *isn't* an option for you and SLAAC is a must, then the only real way to handle this is allocate a /64 *per host* and perform your firewalling on the CIDR boundary - not an entirely impossible prospect if you have a reasonable subnet size to play with.

On a side note, one thing to bear in mind is that when you make router advertisements, you can set AdvOnlink to off which has the effect of causing /all/ traffic for that subnet to be routed; hosts will not attempt or use neighbour discovery - useful if you want to use a single subnet across multiple VLANs.

Or more simply, with modern (cough since 1995!) switches it is easy to get as many layer-2 domains as you want with VLAN. With IPv6, you usually receives thousands of /64. As it is easy to spoof among a layer-2 (assuming SAVI/SeND are not used) domain for IPv4 and IPv6, then, the best recommendation is to put all hosts with the same security level into one /64 (.1X can help) and build your ip6tables on /64 and not /128. Then SLAAC & DHCP or whatever will work like a charm (assuming basic anti-spoofing)

-éric

> -----Original Message----- > From: ipv6-ops-bounces+evyncke=cisco.com [at] lists [mailto:ipv6-ops- > bounces+evyncke=cisco.com [at] lists] On Behalf Of Olipro > Sent: mercredi 18 janvier 2012 20:58 > To: ipv6-ops [at] lists > Subject: Re: ip6tables and multiple possible source addresses > > On Tuesday 17 Jan 2012 17:04:00 Tom Perrine wrote: > > Someone must have already figured this out; I'm feeling "virtual Monday" > > pretty bad right now :-( > > > > With IPv6 a host can have "lots" (more than 1) of possible IPv6 > > addresses to use as the source address. I've read the RFCs, so I can > > (usually) make a good guess as to which one will be used, but... > > > > When writing a host-specific ip6tables rule, which address do you need > > to list? All of the possible Global Scoped addresses? > > > > This seems...... awkward (and error prone). > > > > Am I missing something, or is it that bad? > > > > --tep > > if using DHCPv6 and refusing to route unleased addresses (or subnets) > *isn't* an option for you and SLAAC is a must, then the only real way to > handle this is allocate a /64 *per host* and perform your firewalling on > the CIDR boundary - not an entirely impossible prospect if you have a > reasonable subnet size to play with. > > On a side note, one thing to bear in mind is that when you make router > advertisements, you can set AdvOnlink to off which has the effect of > causing /all/ traffic for that subnet to be routed; hosts will not attempt > or use neighbour discovery - useful if you want to use a single subnet > across multiple VLANs.

On 2012-01-19 09:40, Cameron Byrne wrote: > I guess I missed why the simplest answer does not apply > > If you are already creating host specific iptables, why not just use a > static address that is permanent? This really works the same in ipv4 and > ipv6, right?

> On 2012-01-19 09:40, Cameron Byrne wrote: >> I guess I missed why the simplest answer does not apply >> >> If you are already creating host specific iptables, why not just use a >> static address that is permanent? This really works the same in ipv4 and >> ipv6, right? > > Yes, but static addresses are an ivitation to trouble later on. > http://tools.ietf.org/html/draft-carpenter-6renum-static-problem

Which is more frequent, renumbering or tweaking firewall rules? There is a tradeoff - everybody should decide according their taste. Best Regards, Janos Mohacsi

On 19.01.2012 09:48, Mohacsi Janos wrote: > Which is more frequent, renumbering or tweaking firewall rules? There > is a tradeoff - everybody should decide according their taste.

In my opinion firewalls should change their behaviour in flexible rules. I don't want to enter the prefix explicitly in each rule but only the host part.

Example: I configure my currently prefix 2001:db8::/48 as prefix-set MY-NETWORK. In a rule I only use MY-NETWORK:dead:beef:0:1.

On the big day of prefix change I advance my prefix-set by simply adding the new prefix - letting the old one still there.. After the renumbering phase I simply delete my old prefix 2001:db8::/48 from the prefix-set and I'm done.

Firewalls have to change for real ipv6 ops.

And by the way: I really don't care for my servers on the renumbering day. They are all static configured but managed by puppet. Changing the ip will just be a small script.

On Thu, Jan 19, 2012 at 10:55:16AM +0100, Jens Weibler wrote: > I configure my currently prefix 2001:db8::/48 as prefix-set MY-NETWORK. > In a rule I only use MY-NETWORK:dead:beef:0:1. > > On the big day of prefix change I advance my prefix-set by simply adding > the new prefix - letting the old one still there.. > After the renumbering phase I simply delete my old prefix 2001:db8::/48 > from the prefix-set and I'm done. > > Firewalls have to change for real ipv6 ops.

Seconded. That is one of the big things that needs to change (and not only in firewalls, but also in DNS and DHCPv6 management software, etc.).